The current best practices for securing large scale Web Services on Internet connected computer systems rely on layered computer network defenses based on firewalls, IDS/IPS appliances, network flow guards, PKI certificates and VPN technologies. These are costly to procure, deploy and maintain, and require a significant amount of physical and personnel security to mitigate their shortcomings. Furthermore they do not easily facilitate the ability to share information.
Most organizations today use an amalgam of security technologies and methods to secure their internal networks, allowing remote access to the network and communication with partner organizations. Typically their network layout is a set of internal LANs fronted by a DMZ LAN that then connects to the Internet or to communications links with a partner organization through firewalls and VPNs. This is known as a “castle moat” style of network security. With the advent of ubiquitous radio-based networking and a greater desire to share internal information with outsiders, such as customers and partners via Internet communications and Web Services, a new model is needed, called an “airport” style of network security. Information technology access control must now be done at the granularity of individual users and information.